Managing Secrets using Kustomize
kubectl
supports using the Kustomize object management tool to manage Secrets
and ConfigMaps. You create a resource generator using Kustomize, which
generates a Secret that you can apply to the API server using kubectl
.
Before you begin
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using minikube or you can use one of these Kubernetes playgrounds:
Create a Secret
You can generate a Secret by defining a secretGenerator
in a
kustomization.yaml
file that references other existing files, .env
files, or
literal values. For example, the following instructions create a Kustomization
file for the username admin
and the password 1f2d1e2e67df
.
stringData
field for a Secret does not work well with server-side apply.Create the Kustomization file
secretGenerator:
- name: database-creds
literals:
- username=admin
- password=1f2d1e2e67df
Store the credentials in files. The filenames are the keys of the secret:
echo -n 'admin' > ./username.txt echo -n '1f2d1e2e67df' > ./password.txt
The
-n
flag ensures that there's no newline character at the end of your files.Create the
kustomization.yaml
file:secretGenerator: - name: database-creds files: - username.txt - password.txt
You can also define the secretGenerator in the kustomization.yaml
file by
providing .env
files. For example, the following kustomization.yaml
file
pulls in data from an .env.secret
file:
secretGenerator:
- name: db-user-pass
envs:
- .env.secret
In all cases, you don't need to base64 encode the values. The name of the YAML
file must be kustomization.yaml
or kustomization.yml
.
Apply the kustomization file
To create the Secret, apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/database-creds-5hdh7hhgfk created
When a Secret is generated, the Secret name is created by hashing the Secret data and appending the hash value to the name. This ensures that a new Secret is generated each time the data is modified.
To verify that the Secret was created and to decode the Secret data,
kubectl get -k <directory-path> -o jsonpath='{.data}'
The output is similar to:
{ "password": "UyFCXCpkJHpEc2I9", "username": "YWRtaW4=" }
echo 'UyFCXCpkJHpEc2I9' | base64 --decode
The output is similar to:
S!B\*d$zDsb=
For more information, refer to Managing Secrets using kubectl and Declarative Management of Kubernetes Objects Using Kustomize.
Edit a Secret
In your
kustomization.yaml
file, modify the data, such as thepassword
.Apply the directory that contains the kustomization file:
kubectl apply -k <directory-path>
The output is similar to:
secret/db-user-pass-6f24b56cc8 created
The edited Secret is created as a new Secret
object, instead of updating the
existing Secret
object. You might need to update references to the Secret in
your Pods.
Clean up
To delete a Secret, use kubectl
:
kubectl delete secret db-user-pass
What's next
- Read more about the Secret concept
- Learn how to manage Secrets using kubectl
- Learn how to manage Secrets using config file